Impact of Cyber and Economic Espionage To U.S. Companies…

A collaborative partnership…in 2013, CSIS (Center for Security and Internal Studies) and McAfee partnered to examine cyber – economic espionage impact in a manner more inclusive than what I have previously observed over the past 25+ years.

Spoiler alert; Dr. James Lewis, Senior Fellow and Director of CSIS’ Center for Technology and Public Policy Program…offered his best guess that ‘the upper limit (of the costs-losses attributed to cyber – economic espionage) might be somewhere under one percent of the U.S. GDP (gross domestic product).

Lewis also states, and I paraphrase…‘U.S. economic costs-losses to cybercrime and economic espionage attributed specifically to – originating in China, may reach as much as $140 billion annually’.

$140 billion annually, 508,000 jobs…I have no specific – objective evidence to challenge these figures, and certainly not question Dr. Lewis’ experienced and respected record of achievements in the cyber crime – economic espionage arena.

I am suggesting there may be some predictable factors…insofar as arriving at the $140 billion annual loss figure especially…

one of which lies in determining which assets and/or adverse impacts to include, and

the second is the methodology for determining their near term and long term value in terms of costs and losses companies will experience with respect to market space, competitive advantages, sustainability, etc.

those figures, in my judgment, may be somewhat subjective and/or embedded with a particular bias or even agenda that in turn may influence high or low valuations.

For example, it’s relatively common to see open source media and the abundance of ‘talking heads’ to…merely regurgitate (cherry picked) extraordinarily high dollar volume losses (impacts) to the U.S. economy, attributed to cyber – economic espionage, often ranging between $100 and $500+ billion annually that may suit their agenda, should there be one.

I genuinely believe Dr. Lewis’ findings to be as flawless, encompassing, and accurate as can be reasonably expected in the multi-faceted and ambiguous arena from which to acquire reliable and replicable data points.

for example, quite interestingly, the CSIS – McAfee report translates these asset loss estimates as representing perhaps as many as 508,000 U.S. jobs.

Too, a common challenge, insofar achieving credence to cyber-security-economic espionage survey findings…Dr. Lewis also points out, is that (survey) respondents are inclined to engage in self-selection…

obviously, when this occurs, it introduces a potential source of distortion to the results.

so, being mindful of these and other data collection challenges to this already sensitive topic for companies,

Lewis suggests loss estimates be based on assumptions about scale and effect.

changing those assumptions, Lewis argues, will likely deliver quite different results in terms of loss values.

CSIS – McAfee Assessment model…as a demonstration of Lewis’ intent to be as objective and encompassing as possible insofar as valuing losses attributed cyber and economic espionage, CSIS secured the expertise of prominent economists, intellectual property experts, security researchers, and even incorporated, what could appear at first blush irrelevant analogies to bring clarity to the figures they were reporting, e.g., comparative statistics for car crashes, product piracy, pilferage, crime stats, and drug usage which collectively were integrated, for comparison purposes, to serve as frameworks to draw upon in devising their assessment (valuation) model. By incorporating these analogies in the design of their assessment model, Dr. Lewis, CSIS, and McAfee were essentially suggesting, should my interpretation be correct, it’s problematic to rely exclusively on conventional methodologies, particularly time honored surveys, to identify dollar values to losses attributed to cyber-economic because…

companies that (publicly) reveal losses attributed to cyber – economic espionage are frequently unable to distinguish, with the necessary precision, the actual (proprietary, IP, intangible) assets which were stolen, compromised, or infringed.

intellectual property – intangible asset losses are admittedly difficult to quantify with consensus, and when they are, the assessment – valuation is likely to reflect subjective guesstimates absent factoring numerous dependant variables which are invariably in play.

the self-selection process associated with most conventional (time honored) survey methodologies, frequently produce some distortion to the findings.

CSIS model includes six classifications of cyber – economic espionage…

were opportunity costs involved, including business and/or service disruptions that adversely effected consumer/customer expectations and trust particularly those related to the victim company’s online activities.

would be additional costs incurred by the victim company relative to securing their IT networks and incorporate greater resilience measures to provide quicker and fuller recovery when future attacks occur.

Each of the above should be examined through a lens of reverence…in that there is little question the inclusion of these and other factors, collectively help victim companies arrive at a more comprehensive and current appreciation for the losses, costs, and overall impacts caused by acts of cyber – economic espionage.

Economic (industrial) espionage is often euphemistically referred to as the world’s second oldest profession…behind, of course, to prostitution. Readers do recognize that an, as yet unknown percentage of malicious cyber activity, evolves as economic espionage and is an obvious by-product of the continually evolving IT and Internet arenas.

But still, as both cyber – economic espionage are irreversibly embedded in global business cultures…there remain a percentage of policymakers, c-suites, and management teams who find it a challenging phenomenon to understand and recognize insofar as articulating, with strategic clarity, precisely what either are and their relevance to their company – business, notwithstanding risk prevention, mitigation, and management.

Strategies to address these increasingly critical concerns through the lens of…economic, competitive advantage, and business sustainability, anyone of which, when they materialize, can produce substantial, if not utterly debilitating adverse effects to a company.

Respectfully, all emerges from…well grounded – objective research to aid business leadership to frame and execute near term and strategic decisions, actions, and responses that fit their business and its respective culture!

What’s the harm…if Dr. Lewis is correct in assuming, through the analogies he describes in the Report, some of which appear…

tantamount to inferring there are “tolerated costs” within in the realm of cyber crime and cyber espionage

which manifest as a ‘ceiling’ of sorts, for estimating losses.

Should the above be reasonably correct, and I believe it is, it further suggests that, at most, cybercrime and cyber espionage costs less than 1% of GDP…

for the U.S. then, in the context of its GDP,

Lewis’ best guess is that losses (caused by cyber crime and cyber espionage) may reach $100 billion annually.

To provide context for this estimate…Lewis points out that annual expenditures on research and development in the US are $400 billion annually, and $100 billion in stolen/misappropriated intellectual properties he offers, does not translate to…